https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
general
  • f

    flat-insurance-25294

    12/20/2019, 11:00 AM
    I got some issues with a few things Pulumi does before we can actually start migrating over, I am hoping I could get some eyes on this and maybe even suggestions. I am not comfortable with secrets stored in the repo. Encrypted or not. We do store the secrets on Github, but not in the repo, but as Github Action secrets. In fact, we also store configs there ( but not as secret). In the future we would like to store our configs as an .env file and read that into the CI. Is there a way Pulumi could work without config and secrets being defined in the stack.yml file?
    f
    • 2
    • 4
  • g

    gifted-engine-92308

    12/20/2019, 11:01 AM
    So I have tried with child_process:
  • g

    gifted-engine-92308

    12/20/2019, 11:01 AM
    let out = exec("pulumi up -y", (err, stdout) => {
          if (err) {
            console.log(err);
            console.log(stdout);
    
            throw new Error("Failed to call up on pulumi " + err);
          }
    
          observer.complete();
        })
  • g

    gifted-engine-92308

    12/20/2019, 11:01 AM
    and execa
  • g

    gifted-engine-92308

    12/20/2019, 11:01 AM
    const subp = execa.sync("pulumi", ['up', '-y'], {
            cwd: options.targetDirectory
          });
          subp.stdout.pipe(process.stdout);
          const { stdout } = await subp;
  • g

    gifted-engine-92308

    12/20/2019, 11:02 AM
    either way it just hangs half way through or errors in some way that it doesn't when running it in terminal
  • f

    flat-insurance-25294

    12/20/2019, 11:05 AM
    Is there a typo there?
    execa?
  • f

    flat-insurance-25294

    12/20/2019, 11:06 AM
    What kind of error?
  • g

    gifted-engine-92308

    12/20/2019, 11:07 AM
    execa is a node package
  • g

    gifted-engine-92308

    12/20/2019, 11:07 AM
    the child_process error is this:
    Error: Failed to call up on pulumi Error: Command failed: pulumi up -y
    
        at exec (/Users/waynedouglas/src/sonaticket-pulumi/commands/up.js:25:15)
        at ChildProcess.exithandler (child_process.js:301:5)
        at ChildProcess.emit (events.js:198:13)
        at ChildProcess.EventEmitter.emit (domain.js:448:20)
        at maybeClose (internal/child_process.js:982:16)
        at Socket.stream.socket.on (internal/child_process.js:389:11)
        at Socket.emit (events.js:198:13)
        at Socket.EventEmitter.emit (domain.js:448:20)
        at Pipe._handle.close (net.js:607:12)
  • g

    gifted-engine-92308

    12/20/2019, 11:07 AM
    so nothing of any use!
  • g

    gifted-engine-92308

    12/20/2019, 11:07 AM
    i'm currently running pulumi up and it's already gone beyond where it was
  • f

    flat-insurance-25294

    12/20/2019, 11:13 AM
    Not having those issues here with Ruby, I will try out with Node later but I can’t right now. Anyhow, that’s how we do it. We use Ruby to prepare a lot of stuff, like creating new stacks, feeding secrets and configs and etc.
  • f

    flat-insurance-25294

    12/20/2019, 11:14 AM
    Which brings me to my question I got some issues with a few things Pulumi does before we can actually start migrating over, I am hoping I could get some eyes on this and maybe even suggestions. I am not comfortable with secrets stored in the repo. Encrypted or not. We do store the secrets on Github, but not in the repo, but as Github Action secrets. In fact, we also store configs there as clear text. In the future we would like to store our configs as an .env file and read that into the CI. Is there a way Pulumi could work without config and secrets being defined in the stack.yml file?
  • f

    flat-insurance-25294

    12/20/2019, 11:16 AM
    @gifted-engine-92308 try this
    const { spawn } = require('child_process');
    const ls = spawn('pulumi', ['up', '-y']);
    
    ls.stdout.on('data', (data) => {
      console.log(`stdout: ${data}`);
    });
    
    ls.stderr.on('data', (data) => {
      console.error(`stderr: ${data}`);
    });
    
    ls.on('close', (code) => {
      console.log(`child process exited with code ${code}`);
    });
  • g

    gifted-engine-92308

    12/20/2019, 11:17 AM
    ah ok
  • f

    flat-insurance-25294

    12/20/2019, 11:17 AM
    Let me know how it works, I’m curious. We wanna switch Ruby to typescript eventually
  • g

    gifted-engine-92308

    12/20/2019, 11:19 AM
    i'll be trying it within the next 5 mins 🙂
  • g

    gifted-engine-92308

    12/20/2019, 11:28 AM
    ok - so now I have an error that i can see 🙂
  • g

    gifted-engine-92308

    12/20/2019, 11:28 AM
    so that method is definitely better
  • f

    flat-insurance-25294

    12/20/2019, 11:38 AM
    What was the error?
  • g

    gifted-engine-92308

    12/20/2019, 11:41 AM
    it's something related to cert-manager that's not happening when i run it in terminal so looking into that now
  • f

    flat-insurance-25294

    12/20/2019, 3:03 PM
    @gifted-engine-92308 Can you check if it’s possible to await an output? Since we check configs for conditionals.
  • c

    cool-egg-852

    12/20/2019, 4:25 PM
    Why does pulumi not realize the instance is gone and stop trying to delete the user?
    gcp:sql:User (sellercenter-vtex-gateway-vault):
        error: deleting urn:pulumi:development::sellercenter-vtex-gateway::gcp:sql/user:User::sellercenter-vtex-gateway-vault: Error, failed to deleteuser vault in instance sellercenter-vtex-c7eeaca: googleapi: Error 400: Invalid request: Invalid request since instance is not running., invalid
    
      gcp:sql:User (sellercenter-vtex-gateway):
        error: deleting urn:pulumi:development::sellercenter-vtex-gateway::gcp:sql/user:User::sellercenter-vtex-gateway: Error, failed to deleteuser sellercenter-vtex-gateway-7acd01a in instance sellercenter-vtex-c7eeaca: googleapi: Error 400: Invalid request: Invalid request since instance is not running., invalid
    g
    • 2
    • 1
  • b

    better-rainbow-14549

    12/20/2019, 4:47 PM
    you might be able to do a pulumi refresh to make it notice
  • b

    better-rainbow-14549

    12/20/2019, 4:47 PM
    instead of it failing to delete
  • g

    great-tomato-45422

    12/20/2019, 7:26 PM
    is there a way to do pulumi preview without it building containers?
    👋 1
    w
    h
    • 3
    • 11
  • p

    prehistoric-account-60014

    12/20/2019, 10:22 PM
    Can somebody help with debugging a
    400
    status code from the CLI? I’m attempting to run:
    pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)
    but all I’m seeing is:
    error: could not decrypt configuration value: [400] Message authentication failed
    I was hoping
    --verbose=3
    would help a bit but there isn’t any extra information compared to the non-verbose run.
    w
    • 2
    • 9
  • p

    prehistoric-account-60014

    12/20/2019, 11:49 PM
    Is there a resource similar to
    azure.containerservice.Registry
    or data source similar to
    gcp.container.getRegistryRepository
    for
    @pulumi/gitlab
    ?
    b
    • 2
    • 2
  • f

    flat-insurance-25294

    12/21/2019, 2:05 PM
    How strongly is tagging enforced in Pulumi? I’m concerned over the amount of resources created and no way to track them in the AWS console. We don’t issue deletion/destroying via Pulumi but manually via the AWS console and want to keep it that way.
    w
    • 2
    • 4
Powered by Linen
Title
f

flat-insurance-25294

12/21/2019, 2:05 PM
How strongly is tagging enforced in Pulumi? I’m concerned over the amount of resources created and no way to track them in the AWS console. We don’t issue deletion/destroying via Pulumi but manually via the AWS console and want to keep it that way.
w

white-balloon-205

12/21/2019, 3:07 PM
Pulumi itself is not opinionated about tagging - but you can provide tags yourself - and there are several features to help you enforce this yourself: 1. Components that you create which include tags which can be reused 2. Stack transformations to auto-inject tags into supported resource types 3. Policy as code to enforce that resources cannot be created without tags
f

flat-insurance-25294

12/21/2019, 3:07 PM
Hmm so if I set tags on a stack, it will seed it to all the resources created? Including Subnets in a VPC?
@white-balloon-205 The policy thing is nice, but I saw a tutorial that extended the TS runtime to enforce it at compile time might combine both but actually seeding tags via stack sounds like a even better solution, if anything it’s a big catch all in case policy and ts compile time fails 🙂
Now I gotta figure out IAM stuff. I am a bit confused over those portions. I want to dynamically create my stacks per pr and setup resources on AWS. I don’t want to allow destroying any resource, just mutate or create. But I guess pulimi sometimes need destroyable roles/auth because create might need it, am I correct?
View count: 1